I've got a single page application that currently uses Azure AD B2C authentication to allow users to sign in, and then use the auth cookies to talk directly to internal services. There is now a requirement that we use two factor auth on top of the existing AD auth. We've already rolled our own 'second factor' auth, and we need to be able to integrate with that (I'd much rather use the built in MFA that Azure provides, but for this question assume that isn't an option).
Our issue is that we don't want to call our MFA service until the user has authenticated succesfully with AD - but of course, once they have, they are already authenticated, and it's too late.
When Azure AD hands back to us via the call back (we are using CookieAuthenticationEvents), is there any way to defer the access token being available until our own second factor auth step succeeds?
Just as juunas suggested, try to use custom polices which are designed primarily to address complex scenarios.
Reference:
Custom policies in Azure Active Directory B2C
Related
I want my application to be able to use an external user pool from my customers Azure AD, instead of them having to maually create every user in my application, when they already have them in Azure AD.
Initially, I though of using only OIDC for this as I can just create the user in my application upon the first login. But OIDC does not allow me to logout and deactivate the user in my application when they are deleted in Azure AD. This is an important requirement for my application.
To solve this, I think I could combine OIDC and SCIM:
Azure AD provisions the users to my application through SCIM endpoints. When deactivated, Azure notifies my application through the SCIM endpoints and I can delete their session and deactivate them in my application.
Login is handled with OIDC. When I have a valid OIDC token I create a session in my app. This way I don't have to manage passwords or multi factor authentication in my app.
Does it make sense to use SCIM and OIDC together?
Yes, it makes sense to use SCIM and OIDC together in the way that you describe.
It also has other advantages to "pre-provision" with SCIM: for example, when users want to address accounts other users that have not logged in yet. Adding such a user to a group would not work with "just-in-time account provisioning" since the account would not exist (yet).
I have been able to set up Azure AD Authentication with Auth0. According to my research, Azure AD is similar to AWS Cognito and Firebase. So can we use Azure AD to handle flows like User Creation, Password Reset, Expire Password etc. from a NodeJS Admin Backend?
Azure Ad is microsoft's identity platform. while yes in some ways is similar to aws cognito, it is a bit different as well. it's not designed specifically for developers, it's designed as an identity platform for your organization.
to answer your second question, it really depends on what you are expecting it to do. For example, there is an api, called graph api, which lets you interact and do almost everything you want to azure ad through that api. https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-graph-api create users, groups etcetc. but if you are looking for user signup using their own emails and that sort of thing, the closest thing you should be looking at is Azure Ad B2C.
Azure B2c Takes care of some of the more common scenarios like signups and such
https://azure.microsoft.com/en-us/services/active-directory/external-identities/b2c/
I'm new to Protractor and am wanting to write C# tests that run against an Angular 8 application. The problem is, the application uses Azure AD for authentication and I don't know the correct approach to authenticate automatically when running the test. If I navigate to the application URL it redirects to the Microsoft login page for authentication but I can't seem to access this.
You can use the libraries given by Microsoft to implement applications for authenticating to Azure.MSAL is one of the libreary whiich is best to use. If you want to use MSAL to acquire a token, you need to:
Register an application in Azure AD.
Add target API, and grant consent to select permissions.
Generate a secret key.
Then you can get a token as Acquire a token and call Microsoft Graph API.
However, I think what you really want is to integrate AAD. You can easily enable AAD authentication for your .NET web application. It uses OWIN middleware.
I am working on an ASP.Net MVC application which will handle two types of users
External Users (Need to authenticate using Azure B2C with username as login instead of email as login)
Internal Users (which already exist in Corporate Azure AD)
What is the right way of implementing it?
One option is to run two separate instances of the application configured against each IDP. Keep each type of user stick to one app instance.
I tried to register AD and AD B2C in one app by registering two OpenIdConnect services but having problems when the user tries to access a resource without first logging into the application. Without knowing the type of the user I cannot specify AuthenticationSchema in the Authorize tag.
I am sure people have done this before so if you someone who knows how to do it, then please guide me..
Based on the code sample mentioned at URL: https://github.com/Azure-Samples/active-directory-dotnet-webapp-wsfederation , I implemented an application that uses WS-Federation (ASP.Net WS-Federation OWIN middleware) to authenticate users from an Azure AD tenant. Now I am looking for an approach to query the Graph API later in my application to fetch additional claims information required from application point of view.
Here in this scenario, I would like to know whether it is possible to query the Graph API or not. Do I need to update the existing WS-Federation protocol to OpenId Connect.
Can anyone help me to provide their guidance here.
The ideal would be to move to OpenId Connect, which would allow you to take care of both sign in and API in a single setup and flow.
If you want to stick with your current ws-fed setup, you can layer oauth2 on top of your implementation and retrieve the access token you need any time after the sign in. We have a sample showing exactly that, see https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-webapp-webapi-oauth2-useridentity/